
National Cybersecurity and Communications Integration Center 


Combating the Insider Threat 2 May 2014 


DISCLAIMER: This advisory is provided “as is ” for informational purposes only. The Department of Homeland Security (DHS) does not 
provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or 
service, referenced in this advisory or otherwise. 

Executive Summary 


An insider threat is generally defined as a current or former employee, contractor, or other business 
partner who has or had authorized access to an organization's network, system, or data and intentionally 
misused that access to negatively affect the confidentiality, integrity, or availability of the organization's 
information or information systems . 1 Insider threats, to include sabotage, theft, espionage, fraud, and 
competitive advantage are often carried out through abusing access rights, theft of materials, and 
mishandling physical devices. Insiders do not always act alone and may not be aware they are aiding a 
threat actor (i.e. the unintentional insider threat). It is vital that organizations understand normal employee 
baseline behaviors and also ensure employees understand how they may be used as a conduit for others to 
obtain information. The following product is intended to act as a springboard for organizations to consider 
policies and practices used to detect and deter the insider threat. 

The insider 


Building a baseline understanding of the personalities and behavioral norms of those previously defined 
as ‘insiders’ will make detecting deviations in these norms easier. Some general behavioral characteristics 
of insiders at risk of becoming a threat include : 23 


Characteristics of Insiders at Risk of Becoming a Threat 


Introversion 
Greed/ financial need 
Vulnerability to blackmail 
Compulsive and destructive behavior 
Rebellious, passive aggressive 
Ethical “flexibility” 

Reduced loyalty 

Entitlement - narcissism (ego/self-image) 


Minimizing their mistakes or faults 

Inability to assume responsibility for their actions 

Intolerance of criticism 

Self-perceived value exceeds performance 

Lack of empathy 

Predisposition towards law enforcement 
Pattern of frustration and disappointment 
History of managing crises ineffectively 


Individuals that exhibit these characteristics may reach a point at which they carry out malicious activity 
against the organization. One of the best prevention measures is to train employees to recognize and 
report behavioral indicators exhibited by peers or business partners. 











Some Behavioral Indicators of Malicious Threat Activity : 4 5 

• Remotely accesses the network while on vacation, sick or at odd times 

• Works odd hours without authorization 

• Notable enthusiasm for overtime, weekend or unusual work schedules 

• Unnecessarily copies material, especially if it is proprietary or classified 

• Interest in matters outside of the scope of their duties 

• Signs of vulnerability, such as drug or alcohol abuse, financial difficulties, gambling, illegal 
activities, poor mental health or hostile behavior, should trigger concern. Be on the lookout for 
warning signs among employees such as the acquisition of unexpected wealth, unusual foreign 
travel, irregular work hours or unexpected absences 6 

Identifying behavioral indicators may be difficult, particularly if they do not occur for a long period of 
time and therefore do not set a pattern. Therefore, a good understanding of risk characteristics and events 
that may trigger those characteristics is essential. Individuals pose threats for a variety of reasons; some 
theories to consider are listed below: 


Some Behavior Prediction Theories To Consider 7 

General Deterrence Theory (GDT) S 

Person commits crime if expected benefit outweighs cost of action 

Social Bond Theory (SBT ) 9 

Person commits crime if social bonds of attachment, commitment, 
involvement and belief are weak 

Social Learning Theory (SLT) 1U 

Person commits crime if associates with delinquent peers 

Theory of Planned Behavior (TPB ) 11 

Person’s intention (attitude, subjective norms and perceived behavior 
control) towards crime key factor in predicting behavior 

Situational Crime Prevention (SCP) 1 ^ 

Crime occurs when both motive and opportunity exist 


These behaviors may manifest in different stages of an insider threat scenario. Some commonly accepted 
stages include: Exploration ( Recruitment/Tipping Point); Experimentation ( Search/Reconnaissance); 
Exploitation ( Utilizing the Weakness); Execution ( Collection/Exfiltration ); and Escape & Evasion 
(Obfuscation). 1314 Understanding these stages may help organizations put individual risk characteristics 
and behavioral indicators into the context of an insider threat as the activity is occurring rather than after. 

These behaviors and indicators, whether detected via technology or human observance techniques are 
intended to detect the malicious insider. It’s equally important though to create productive and healthy 
work environments to help reduce the unintentional insider threat. Some countermeasures include : 15 

• Training employees to recognize phishing and other social media threat vectors 

• Train continuously to maintain the proper levels of knowledge skills and abilities 

• Conduct training on and improve awareness of risk perception and cognitive biases that affect 
decision making 

• Improve usability of security tools 

• Improve usability of software to reduce the likelihood of system-induced human error 
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• Enhance awareness of the unintentional insider threat 

• Provide effective security practices (e.g. two factor authentication for access) 

• Maintain staff values and attitudes that align with organizational mission and ethics 

Detect and Deter 


It is worth noting that one recent study names local area network (LAN) access as the top vector for 
insider threats/misuse (71%), followed by physical (28%) then remote access (21%). 16 The following 
offers detection, prevention and deterrence methods to consider. Additional reference points have been 
added for convenience in the event organizations are interested in pursuing particular methods. 17 


18 19 20 21 

Some Security Technologies to Detect/Prevent Insider Attacks Include: 

Data/file encryption 

Enterprise identity and access management (1AM) 22 

Data access monitoring 

Data access control 24 

SIEM or other log analysis 24 

Intrusion detection/ prevention systems (IDS/IPS) 

Data loss prevention (DLP) 

Enterprise digital rights management solution 

Data redaction 



Some Deterrence Methods Include : 25 26,27 

• Deploy data-centric, not system centric security 

• Crowd-source security 

• Use positive social engineering 

• Think like a marketer and less like and IDS analyst 

• Build a baseline based on volume, velocity, frequency and amount based on hourly, weekly, and 
monthly normal patterns 

• Use centralized logging to detect data exfiltration near insider termination 28 

• Require identification for all assets (e.g. access cards, passwords, inventory check out) 

• Note frequent visits to sites that may indicate low productivity, job discontent and potential legal 
liabilities (e.g. hate sites, pornography) 

• Announce the use of policies that monitor events like unusual network traffic spikes, volume of 
USB/mobile storage use, volume of off-hour printing activities and inappropriate use of 

• 29 

encryption 

• Provide avenues for employees to vent concerns and frustrations to aid in mitigating the insider 
threat motivated by disgruntlement 

• Implement employee recognition programs that offer public praise to aid in mitigating the insider 
threat motivated by ego 

• Authorize users based on least access privilege and conduct periodic audits to detect 
inappropriately granted access or access that still exists from previous job roles/functions and 
should be removed 30 
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Training 


Finally, continual training is always a recommended option. Below are descriptions of two, free of charge 
courses that organizations may want to consider offering to employees, contractors, and others that meet 
the description of an ‘insider’. 

• The Department of Homeland Security (DHS) offers an online independent study course titled 
Protecting Critical Infrastructure Against Insider Threats (IS-915). 31 The one-hour course 
provides guidance to critical infrastructure employees and service providers on how to identify 
and take action against insider threats. 

• The Department of Defense (DoD) also offers an Insider Threat Awareness Course 32 free of 
charge. The course includes a printable certificate after completion and focuses on the insider 
threat as an essential component of a comprehensive security program. 

Just as it is vital to have methods to detect external threats, it’s also important to protect your 
organizations information and systems from unauthorized insider misuse. US-CERT recommends that 
organizations use the information and references in this product as tools to improve procedures employed 
to combat insider threats. 

Point of Contact 


Please direct any questions or comments about this product to the NCCIC Analysis team at 
NCCIC@ha.dhs.gov . 

Feedback 


NCCIC/US-CERT continuously strives to improve its products and services. You can help by answering 
a very short series of questions about this product at the following URL: https://www.us- 
cert. gov/forms/feedback 
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